Remote Installation Services (RIS) enables you to automate the installation of new computer systems using a centralized service accessible to network clients. RIS, which was introduced with Microsoft Windows 2000 Server, has been enhanced in Microsoft Windows Server 2003. Performance and security have been improved, and completely automated remote installation processes are now possible. Enhancements to RIS in Windows Server 2003 include the following:
Detection of client hardware abstraction layer (HAL) and subsequent HAL filtering guarantee that only images with a compatible HAL are deployed.
The local administrator password can be encrypted, although the domain administrator password still cannot be.
Dynamic Host Configuration Protocol (DHCP) is configured automatically during RIS setup.
The entire setup process, including the Client Installation Wizard (CIW) Text-mode portion, can be automated, allowing for completely hands-off setup of remote systems.
RIS also supports two new features of Windows Server 2003: Out-of-Band Management and Emergency Management Services.
RIS allows you to install the Windows operating system onto a remote bare-metal machine. Because RIS installation requires systems that can boot from the network and establish network communications with the RIS server, the client machine should have hardware that supports the Preboot Execution Environment (PXE). For computers that don't have PXE support in their system firmware, Windows Server 2003 has a remote installation boot floppy (RIBF) disk that supports a small number of network adapters.
RIS comprises three services running on the RIS server: the Remote Installation service, the Trivial File Transfer Protocol Daemon (TFTPD) service, and the Single Instance Store service.
In addition, RIS relies on several other services and protocols. All RIS operations are based on the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite and related services, such as the Domain Name System (DNS) and DHCP, and require the Active Directory directory service for authentication and account management.
Following are the services required on the RIS server:
Remote Installation service (BINLSVC) This service manages client requests for RIS, checks computer account configuration and the deployment method, and verifies logon credentials. Startup and shutdown of the Remote Installation service is controlled in the Services console. Configuration is performed by using RIS wizards and settings on the RIS server's computer object in Active Directory, while security is controlled by using Group Policy and NTFS file system permissions.
TFTPD The Trivial File Transfer Protocol, or TFTP (and the TFTPD service), copies the Client Installation Wizard and other software required to start the installation of an operating system image from the RIS server to the target computer.
Single Instance Store service The Single Instance Store (SIS) service works with RIS to minimize the space used to store multiple operating system images on a single RIS image partition. SIS maintains a single copy of all of the duplicate files used in all of the images on a single partition. SIS monitors the partition used for RIS images and, when duplicate files are detected, replaces the actual file with an NTFS reparse point referencing the location of a copy of that file. To accomplish this, SIS uses a special-purpose NTFS file system filter and a software agent called a groveler, which does the file management.
Caution
This form of optimizing storage requires that your backup software be SISaware, such as the Windows Server 2003 Backup application. Without SIS-aware backup software, restoration could experience errors or fail entirely.
The following are the required network services:
DHCP DHCP provides the target computers with an Internet Protocol (IP) address and referral to a RIS server. The PXE specifications extended DHCP to add functionality, allowing PXE systems to locate remote installation servers.
DNS DNS locates systems used in the various RIS operations, such as domain controllers and DHCP servers.
Active Directory Active Directory performs user authentication to the domain and manages computer accounts; thus, Active Directory must be installed and accessible on the network for RIS to operate.
Although RIS is a welcome new feature and will help with operating system installation in many network environments, there are some limitations to RIS that you should keep in mind, such as the following:
RIS supports only clean installations—you cannot upgrade an existing operating system.
Many Windows components and network services, such as DNS and Active Directory, can't be installed during setup.
RIS distribution files used to deploy an operating system must be nonencrypted—this means a RIS distribution folder cannot be encrypted by using Encrypting File System (EFS). Likewise, encrypted files cannot be added to RIS folders and deployed by RIS.
User-level security settings (file system security, for example) cannot be set by using RIS; rather, you must run a script after installation is complete.
RIS requires the image folder to be on a separate partition from the boot and system partitions.
Multihomed RIS servers require special consideration. The RIS server must also provide DHCP services to the client. The active DHCP scope must include all subnets used by the client computer, and that DHCP server must assign all IP addresses for that client computer. Adapters can be assigned IP addresses in one or more subnets.
Not only can RIS generate massive amounts of network traffic, it can also use up many processing cycles while doing so. Don't place RIS on application servers, such as those running Microsoft Exchange or Microsoft SQL Server.
Don't install RIS on a computer in a wireless network. Wireless clients can't support PXE, so RIS can't boot them.
Note
When deploying RIS into an environment where third-party remote installation servers are already in place, you should configure RIS to ignore boot requests from unknown clients. This ensures RIS won't interfere with preexisting remote installation servers that use the same remote boot protocols.
Only select Microsoft Windows operating systems can be installed using RIS—many earlier versions of clients or server operating systems are not supported. This is not likely to be much of a problem, however, because it seems unlikely that many businesses are working on large automated deployments of Microsoft Windows 95 or Microsoft Windows 98.
Windows Server 2003 RIS supports the remote installation of the following versions of the Windows operating system:
Windows Server 2003, Standard Edition
Windows Server 2003, Enterprise Edition
Windows Server 2003, Enterprise Edition, 64-bit version (only by using RISetup, not RIPrep)
Windows Server 2003, Web Edition
Microsoft Windows 2000 Professional, Server, and Advanced Server
Microsoft Windows XP Professional
Note
When talking about RIS, the term client computer refers to the target computer— the system that the Windows operating system is being installing on—even when the operating system you are installing is a Windows server version. Although RIS enables the remote installation of most versions of Windows Server 2003, it is worthy to note that RIS does not support the installation of Windows Server 2003, Datacenter Edition.
Note
RIS is not included with the Windows Server 2003, Web Edition. Web Edition is designed to support Internet services, not the sort of corporate environment in which you would expect to use RIS. Not surprisingly, Web Edition does not include RIS and therefore cannot be used as a RIS server. There are additional network services, such as Active Directory, that are required to support RIS operations that are not included in Web Edition, as well. Thus, to deploy RIS in your organization, you must use Windows Server 2003, Standard Edition or Enterprise Edition.
Before you head off to install RIS, you should consider what the RIS server environment will look like when you are finished and what changes you must make to your existing network environment to support it. Start by considering where in the Active Directory infrastructure you plan to place the RIS server or servers. The logical structure of Active Directory is different from its physical structure. Logical structures include forests, domains, and organizational units (OUs). Physical structures include sites and subnets. Where you place your RIS server depends on how many clients the server must support; the forest, domain, and OU structures in place; and the connectivity for subnets within sites.
Typically, you want the RIS servers to be within the same site as the clients, but if connectivity between subnets is an issue, you'll want the RIS servers to be located on the same subnet as the clients. If you can't locate the RIS server in the same location or site as the RIS clients, you must ensure there is good connectivity between the subnets of the common domain. During installation, RIS clients must be able to connect to the RIS server. They find the server by sending a DHCP broadcast, which a DHCP server can respond to and use to inform the client where the RIS server is located. The RIS client's computer account must also have access to Active Directory within the domain in which the client's computer account was precreated or will be created during the installation process.
Inside Out: High-speed connectivity is essential for successful RIS deployments
The typical RIS image is between 700 megabytes (MB) and 1.5 gigabytes (GB) in size, and you need a high-speed network connection to every RIS client if you plan to transfer that amount of data over the network in a timely fashion. Have at least 100 megabytes per second (Mbps) connectivity. You might have seen charts that tell you when you transfer a RIS image of size X over a link of Y speed that it's going to take Z minutes (or hours). Throw them away. In the real world, it doesn't matter whether you have Gigabit Ethernet, Fast Ethernet, or T-1 connectivity; what matters is what else is going on at the same time you are trying to transfer the massive RIS image. If you kick off 50 RIS image installations along with all the other typical traffic, you will bring Fast Ethernet to its knees. If you kick off 2 RIS image installations over a T-1, you will bring the T-1 to its knees. It's all relative to the current traffic, and in either example, the network would probably slow to a crawl unless you have some bandwidth-throttling measures in place.
A single RIS server can handle between 70 and 75 simultaneous client installations. Any more than that and the server will bog down and stop handling requests. Contrary to some documentation, RIS can be configured on a server running other roles, including servers acting as domain controllers and running DHCP. In fact, in a very small environment, it is typical to have DHCP and RIS configured on the same server because this reduces the number of network packets that RIS clients send to DHCP and RIS servers and allows the simultaneous answering of requests. Combining these roles, however, does dramatically increase the load on the server, which can affect the server's response time. A more typical environment has a dedicated RIS server (or multiple RIS servers). With multiple RIS servers, you have the option of using a RIS referral server to help load balance the requests from clients.
Inside Out: RIS generates massive traffic loads
One thing to keep in mind is that client installations generate large amounts of network traffic because between 700 MB (Windows XP) and 1.5 GB (Windows Server 2003) of data is passed over the network with each installation; DHCP typically has far less traffic. In most organizations, a RIS server is an enterprise-class server that is also used for software installations. In contrast, the typical DHCP server might, in fact, be a desktop-class system running Windows Server 2003. Obviously, if the latter case is true in your environment, you shouldn't combine RIS and DHCP on the same server—no matter the size of your network.
Now that you know how RIS works, its limitations, and design considerations, you are ready to deploy RIS. The procedures you must perform to get RIS up and working are as follows:
Install the RIS server and make it a member of the Active Directory domain in which the RIS clients are located. Be sure the server either has multiple hard disk drives or that you partition the drive so that the boot and system partitions can be separate from the RIS installation drive as it must be.
Add RIS to the server and then reboot it. Afterward, run the Remote Installation Services Setup Wizard (RISetup) to prepare the server to receive RIS images and put an initial image on the RIS partition or drive. When you do this, the RIS server is ready for use and you can add additional images to it by using RIPrep.
The finer details of step 2 are covered in the next section of this chapter.